Title: Self-hosting at home and privacy | |
Author: Solène | |
Date: 10 September 2024 | |
Tags: privacy selfhosting life | |
Description: In this blog post, you will learn that self-hosting your | |
own services at home coud leak some information about you | |
# Introduction | |
You may self-host services at home, but you need to think about the | |
potential drawbacks for your privacy. | |
Let's explore what kind of information could be extracted from | |
self-hosting, especially when you use a domain name. | |
# Public information | |
## Domain WHOIS | |
A domain name must expose some information through WHOIS queries, | |
basically who is the registrar responsible for it, and who could be | |
contacted for technical or administration matters. | |
Almost every registrar will offer you feature to hide your personal | |
information, you certainly not want to have your full name, full | |
address and phone number exposed on a single WHOIS request. | |
You can perform a WHOIS request on the link below, directly managed by | |
ICANN. | |
ICANN Lookup | |
## TLS certificates using ACME | |
If you use TLS certificates for your services, and ACME (Let's Encrypt | |
or alternatives), all the domains for which a certificate was emitted | |
can easily be queried. | |
You can visit the following website, type a domain name, and you will | |
immediately have a list of existing domain names. | |
crt.sh Certificate Search | |
In such situation, if you planned to keep a domain hidden by not | |
sharing it with anyone, you got it wrong. | |
## Domain name | |
If you use a custom domain in your email, it is highly likely that you | |
have some IT knowledge and that you are the only user of your email | |
server. | |
Using this statement (IT person + only domain user), someone having | |
access to your email address can quickly search for anything related to | |
your domain and figure it is related to you. | |
## Public IP | |
Anywhere you connect, your public IP is known of the remote servers. | |
Some bored sysadmin could take a look at the IPs in their logs, and | |
check if some public service is running on it, polling for secure | |
services (HTTPS, IMAPS, SMTPS) will immediately give associated domain | |
name on that IP, then they could search even further. | |
# Mitigations | |
There are not many solutions to prevent this, unfortunately. | |
The public IP situation could be mitigated by either continuing hosting | |
at home by renting a cheap server with a public IP and establish a VPN | |
between the two and use the public IP of the server for your services, | |
or to move your services to such remote server. This is an extract | |
cost of course. When possible, you could expose the service over Tor | |
hidden service or I2P if it works for your use case, you would not need | |
to rent a server for this. | |
The TLS certificates names being public could be easily solved by | |
generating self-signed certificates locally, and deal with it. | |
Depending on your services, it may be just fine, but if you have | |
strangers using the services, the fact to accept to trust the | |
certificate on first use (TOFU) may appear dangerous. Some software | |
fail to connect to self-signed certificates and do not offer a | |
bypass... | |
# Conclusion | |
Self-hosting at home can be practical for various reasons: reusing old | |
hardware, better local throughput, high performance for cheap... but | |
you need to be aware of potential privacy issues that could come with | |
it. |